ASA Migration Problems

Hi,
I'm trying to migrate a configuration of an ASA 5520(Version: ASA 8.0(5)) to an ASA 5585 (Version: 8.4(2)). I keep getting some errors which are included below. I've been struggling with these for some copule of weeks and read the documentation on cisco.com (
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html) and also some pages on this forum. Some lines are written in bold of which I wasn't able to find any information about. Any help is appreciated. Thanks.
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201203062349.log'
Reading from flash...
!!!!!!!!!!!!!!!!!!!WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1291, "access-group outside_acc..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1292, "access-group inside_acce..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1293, "access-group DMZ_access_..."
WARNING: MIGRATION: During migration of access-list <XXXXXXX> expanded
this object-group ACE
permit object-group DM_INLINE_SERVICE_5 XXX 255.255.255.0 DMZnet 255.255.255.0
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1298, "access-group XXXXX..."
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 2
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 3
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 4
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 5
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 6
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 7
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 8
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 9
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 10
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 11
*** Output from config line 1797, "service-policy global-po..."
NAT migration logs:
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 access-list inside_nat_outbound
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
global (outside) 10 interface
nat (inside) 0 logserver 255.255.255.255
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
nat (inside) 0 logserver 255.255.255.255
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 icnetwork 255.255.0.0
ERROR: MIGRATION: No memory to create migrated service-policy element
The following 'nat' command didn't have a matching 'global' rule on interface 'TAV' and was not migrated.
nat (dmz) 1 access-list dmz_nat_outbound
INFO: NAT migration completed.
ERROR: an object-group with the same name (egitim) exist.
WARNING: Failed to create an object for name 'egitim' in the following ACL:
access-list DMZ_access_in extended permit tcp host 9.1.1.90 object-group egitim any

Ummm,
Did you possibly try the default username/password combination? (cisco/cisco) It should then prompt you to change these settings once you gain access. I'm not familiar with how the migration works, if it transitions the user accounts over or you end up starting from scratch. Give that a try and hopefully it gets you into your new system.

Similar Messages

Cisco PIX to Cisco ASA Migration Tool

Hello,
I appreciate any help to download the The Cisco PIX to ASA migration tool referred at
http://www.cisco.com/en/US/partner/docs/security/asa/migration/release/notes/pix2asarn.html#wp39336
Thanks in Advance
Francisco Almeida

As a registered user, go to the download page for Pix Software here.
Navigate on the menu tree to "Version 1.0" and you should see the software available to download:

Photoshop/Elements to Revel Photo Migration Problem!

What happened to my Photoshop/element photos? They were supposedly migrated, but I don't see them! I have no albums in my Revel account.I had a paid subscriiption and it was cancelled back in or around February, and told that the photos would be moved over to REVEL...Can anyone help me to get them back?

First, thanks Pattie for following up with me. I am going to check my backed up hard drives to see if my photoshop materials are on them. It will take me a few days, as I have only small amounts of time to research it at this time. maybe a break will come in a day or two for a determination.
Date: Mon, 12 Aug 2013 09:45:52 -0700
From: [email protected]
To: [email protected]
Subject: Photoshop/Elements to Revel Photo Migration Problem!
    Re: Photoshop/Elements to Revel Photo Migration Problem!
    created by Pattie F in Photoshop.com Sharing and Storage - View the full discussion
Michael-
Is it possible you logged into Photoshop.com with a different email, or is it possible that you did not set up your Elements to sync with Photosho.com? These are the two main reasons users can not find their files.
The Photoshop.com account created in 2009 with the email you use to log in to this forum has no files in it, and therefore, nothing migrated to the Revel account with the same login. You do have a Revel account with the same login, but it is also empty since nothing migrated.
Pattie
     Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/5587690#5587690
     Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page: http://forums.adobe.com/message/5587690#5587690
     To unsubscribe from this thread, please visit the message page at http://forums.adobe.com/message/5587690#5587690. In the Actions box on the right, click the Stop Email Notifications link.
     Start a new discussion in Photoshop.com Sharing and Storage by email or at Adobe Community
For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

I have one migration problem.

Dear All,
i have one migration problem.
while doing transfer rules migration i got a popup saying that " GJAHR source filed automatic conversion is not possible "
what is this message if continue with that what will happens if not what i should do.

hi vsuree,
If u r getting this message for field FISCPER of ur data source,then map Fiscper to 0Fiscyear ,the system wil automatically convert it and the problem will be resolved. hope it will help u.
thanks

Catalog Migration Problem from 10g to 11g

Hi,
When i am trying to migrate catalog of 10g to 11g. They have some problems
1. In obiee 10g (under root folder) it shows only around 5 dashboards. But actually when i am seeing in the I catalog manager of obiee 10g it shows 12 dashboards and pages.
Can some please help me on this how to see the other dashboards and page in obiee 10g ( under root folder ).
2. When i am trying to migrate the catalog folder in obiee 11g it also shows around 5 dashboards. And other dashboards are not seeing after migration.
Can someone please help me on this how to see the other dashboards and pages in obiee 11g as well.

Hi,
In Webcat, there can be some contents that are inconsistent/invalid. And such contents have 0 byte size. Please check if dashboards files that are not visible and their corresponding .atr files have 0 byte size.
Other possibility can be dashboards are hidden for the user-id you are using for login.
Please mark as helpful/correct if this reply helps.
Thanks,
Vijay
Edited by: user5814724 on Apr 8, 2013 4:58 AM

CUCM 8.6(2) migration problem with external calls

Hello all.
Yesterday we have migrated our telephone infrastructure from CM4.x to CUCM8.6(2), after some weeks of tests.
Yesterday night all seems to work properly, all phone updated and registered, external calls going out and in.
But from this morning, with all users at work, it appears a strange problem, that until now I couldn't solve: randomly all external calls go down.
I can't address this problem, since gateways (all cisco 2811 routers) are the same and with same configuration as yesterday.
All thing that I can think is that router that seems to cause the problem is configured not with mgcp by cucm, but with h323 route inside the router.
Any suggestions will be greatly appreciated.
Daniele

GW says normal call clearing.
But, maybe I've addressed the problem.
I've found a bug fixed into latest cucm release (8.6(2a)SU1) that say "h.323 calls improperly disconnected".
So I'm trying to upgrade from 8.6(2a) to 8.6(2a)SU1, but process fails :-(
I've tried from a dvd and also loading iso image from sftp, but after few minutes appears an error
08/04/2012 09:43:55 upgrade_install.sh|Started auditd...|
08/04/2012 09:43:56 upgrade_install.sh|Started setroubleshoot...|
08/04/2012 09:43:56 upgrade_install.sh|Changed selinux mode to enforcing|
08/04/2012 09:43:56 upgrade_install.sh|Cleaning up rpm_archive...|
08/04/2012 09:43:56 upgrade_install.sh|Removing /common/rpm-archive/8.6.2.21900-5|
08/04/2012 09:43:56 upgrade_install.sh|File:/usr/local/bin/base_scripts/upgrade_install.sh:599, Function: main(), Upgrade Failed -- (1)|
08/04/2012 09:43:56 upgrade_install.sh|set_upgrade_result: set to 1|
08/04/2012 09:43:56 upgrade_install.sh|is_upgrade_lock_available: Upgrade lock is not available.|
08/04/2012 09:43:56 upgrade_install.sh|is_upgrade_in_progress: Already locked by this process (pid: 1286).|
08/04/2012 09:43:56 upgrade_install.sh|release_upgrade_lock: Releasing lock (pid: 1286)|
I've rebooted server yet and problem remains.
Thanks for any other suggestions.
Daniele

ASA upgrade problems

I am having this problem upgrading my standby ASA. It never gives an error it just boots over and over again. Anyone have any suggestions? Without even an error it's hard to figure out what's up.. Thanks!
Cisco Systems ROMMON Version (1.0(11)4) #0: Fri Mar 21 17:35:35 PDT 2008
Platform ASA5550
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa911-k8.bin... Booting...
Platform ASA5550
Loading...
IO memory blocks requested from bigphys 32bit: 66624
Booting system, please wait...
CISCO SYSTEMS
Embedded BIOS Version 1.0(11)4 03/21/08 17:09:54.41
Low Memory: 631 KB
High Memory: 3968 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 00 00   8086   2578 Host Bridge
00 01 00   8086   2579 PCI-to-PCI Bridge
00 03 00   8086   257B PCI-to-PCI Bridge
00 1C 00   8086   25AE PCI-to-PCI Bridge
00 1D 00   8086   25A9 Serial Bus         11
00 1D 01   8086   25AA Serial Bus         10
00 1D 04   8086   25AB System
00 1D 05   8086   25AC IRQ Controller
00 1D 07   8086   25AD Serial Bus         9
00 1E 00   8086   244E PCI-to-PCI Bridge
00 1F 00   8086   25A1 ISA Bridge
00 1F 02   8086   25A3 IDE Controller     11
00 1F 03   8086   25A4 Serial Bus         5
00 1F 05   8086   25A6 Audio              5
02 01 00   8086   1075 Ethernet           11
03 01 00   177D   0003 Encrypt/Decrypt    9
03 02 00   8086   1079 Ethernet           9
03 02 01   8086   1079 Ethernet           9
03 03 00   8086   1079 Ethernet           9
03 03 01   8086   1079 Ethernet           9
04 02 00   8086   1209 Ethernet           11
04 03 00   8086   1209 Ethernet           5
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(11)4) #0: Fri Mar 21 17:35:35 PDT 2008
Platform ASA5550
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa911-k8.bin... Booting...
Platform ASA5550
Loading...
IO memory blocks requested from bigphys 32bit: 66624
Booting system, please wait...

Did you ever find a solution? I have several 5505's that are doing this. They seem to run 8.4.3 fine, but not 8.4.6 or 8.4.7. I have two boot commands in the config, the first for 8.4.6-5 and the second for 8.4.6. plugging in the asa, it tries to boot 8.4.6, but boot loops. If I esc to rommon and manually boot 8.4.3 it will load fine. I have several ASA 5505's doing this that have been upgraded using the ASDM tool. This particular output is for one with 8.4.6, but I have others with 8.4.7 that do the exact same thing, again upgraded from the ASDM tool.
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 2 entries.
Loading disk0:/asa846-5-k8.bin... Booting...
Platform ASA5505
Loading...
IO memory blocks requested from bigphys 32bit: 9672
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 2 entries.
Loading disk0:/asa846-5-k8.bin... Booting...
Platform ASA5505
Loading...
IO memory blocks requested from bigphys 32bit: 9672
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 2 entries.
Loading disk0:/asa846-5-k8.bin...

ASA ACL Problems

I have several new ASA-5520 boxes. All are configured with version 7.06 (Cisco recomendation) and in active/standby configuration.
The problem is that the ACLs seem to disapear. For example; I have an outside access list that have about 20 lines. Every once in a while the ACL will start blocking traffic that is permitted by the ACL. When I do a 'sh access-list outside' it says that there are only two elements. They are there when I look at the running config. If I wait a while they start to work again and show up as 'active elements' again. I can force a failover and failback to fix it or restart the firewall. I will open a TAC case on Monday. I was hoping that maybe someone has seen this and has a quick solution.
Thanks,
Patrick

could you provide the show running-config?

ASA Routing problems?

Hi there,
i have a problem with Routing on ASA 5505.
Here is a brief explanation of the topology:
DC Upstream IP: 77.246.165.141/30
ASA 5505 Upstream to DC IP: 77.246.165.142/30
Interface outside.
There is a Cisco Switch connected to one of ASA Ethernet ports, forming Public/DMZ VLAN.
ASA 5505 Public VLAN interface ip: 31.24.36.1/26
Cisco 3750 Public VLAN interface ip: 31.24.36.62, default gateway: 31.24.36.1, IP Routing enabled on Switch.
From the Cisco Switch I can access the Internet with source ip: 31.24.36.62.
Now I have asked from DC additional subnet: 31.24.36.192/26 and they have it routed correctly towards the ASA Outside interface ip: 77.246.165.142.
I have created additional Public2 VLAN on the Switch with IP address of: 31.24.36.193/26.
On the ASA 5505 i added the route to this Public2 VLAN:
#route public 31.24.36.192 255.255.255.192 31.24.36.62 1
Now the problem is that from the Switch with Source IP: 31.24.36.193 i can ping ASA 5505 Public VLAN IP: 31.24.36.1 so the routing between subnets 31.24.36.0/26 and 31.24.36.192/26 is working OK on both the ASA 5505 and the Switch.
But I can't access the Internet from the Switch with Source IP: 31.24.36.193.

Thanks for the replies.
I am running:
Cisco Adaptive Security Appliance Software Version 8.2(2)
As for NAT configuration, there is NAT configured between the Outside Interface IP and the Internal Subnet:
global (outside) 1 interface
nat (inside) 1 192.168.X.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
also there is NAT exemption configured because of the Site-to-Site IPSec VPN that we have:
nat (inside) 0 access-list inside_nat0_outbound1
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.0 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.0 OtherSiteLAN 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.240 255.255.255.248
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.128 OtherSiteLAN 255.255.255.0
I don't have any ACL configured on the Public interface in any direction.
Here is the configuration on the Switch regarding this scenario:
interface FastEthernet2/0/X
description Access Port for Public Subnet(31.24.32.0/26) to ASA
switchport access vlan 500
switchport mode access
interface Vlan500
description Public VLAN 1
ip address 31.24.36.62 255.255.255.192
interface Vlan510
description Public VLAN 2
ip address 31.24.36.193 255.255.255.192
ip route 0.0.0.0 0.0.0.0 31.24.36.1
Here is the output when pinging the ASA Public Interface IP with source IP address of: 31.24.36.193(VLAN 510)
SWITCH#ping 31.24.36.1 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
And here is when I try to ping some Internet host:
SWITCH#ping 8.8.8.8 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
Success rate is 0 percent (0/5)

AT&T DSL & Cisco ASA 5505 Problems

Okay I have been working with a 5505 for two days and finally got it configured and working on an AT&T DSL Modem then when I took the 5505 to the clients office and connected/configured it to their AT&T DSL with their IPs the whole thing quite working. I noticed walk through the Tech discussions that there are lots of problems with AT&T DSL deployments and I also discovered that one working configuration was attached to a DSL in AT&Ts standard deployment as a DHCP router using dynamic IPs while the second is in bridge mode using static IPs.
So here's the question why won't the DSL Modem in bridge mode not work as a typical Internet connection like a Cable Modem? I have a Cisco Wireless VPN 4400 to it in bridge mode using static IPs and it works great and on the 4400 there are no special PPPoe settings that have to be set just standard IPs, DNSs, Gateways, Masks...
I see in the Cisco Tech Notes that it is recommended/mandatory to configure Vpdn groups and the Vlan2 to take into account the PPPoe configuration of the AT&T DSL Modem but if the DSL modem is already set in bridge mode and is handling the PPPoe authentication why does the 5505 have do it again this see,s redundant. Will try to use the example configuration additions above and post here with the results.
BTW the configuration with the DSL set as DHCP Router works without any special PPPoe configs.
Very puzzling this DSL configuration conundrum... Last point for businesses if you can use Cable or nonDSL ISP you should do so this AT&T stuff is for the birds... Angry Birds...
Thanks for the assistance in advance!!!
If static ip address:
vpdn group INTERNET request dialout pppoe
vpdn group INTERNET ppp authentication {chap|mschap|pap}
vpdn group INTERNET localname setroute
pppoe client vpdn group INTERNET
mtu outside 1492
Sent from Cisco Technical Support iPad App

Hi Ferdinand. I don't know what a Smartnet contract is. How do I know if we have one? This ASA basically hasn't been touched for 5 years. Almost the entire staff has rotated through this company since then and nobody knowns anything. I found the invoice for it this morning after accounts searched for it, but it appears to have been purchased from a non services retailer. I contacted them and while they confirm they sold it to us they know nothing about it. They don't offer service.
What are my options?

ASA Migration of DHCP Scope to a Server

Hello All,
We migrated the DHCP scope from the ASA to a MS DHCP server with this configuration:
group-policy BV-SSL1 internal
group-policy BV-SSL1 attributes
no address-pools value remotepool4 remotepool2 remotepool3
no intercept-dhcp enable
dhcp-network-scope 10.180.49.0
exit
tunnel-group BVVPN10 general-attributes
no address-pool remotepool2
no address-pool remotepool3
no address-pool remotepool4
dhcp-server 10.182.14.55
exit
tunnel-group BV-SSL general-attributes
no address-pool remotepool2
no address-pool remotepool3
no address-pool remotepool4
dhcp-server 10.182.14.55
exit
no vpn-addr-assign aaa
no vpn-addr-assign local
vpn-addr-assign dhcp
This is running good, until we used all 254 addresses that was specified in the dhcp-network-scope.
My question is should i have specified dhcp-network-scope none to allow for all 3 scopes can be used to hand out IP addresses for the remote users?
Thanks,
Kimberly

Okay, that's at least a good start. Can you monitor the ULS logs while you attempt to browse to the site to see what form of error(s) you're getting?
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Cisco ASA 5505 - problem with negotiating IP address from PPPoE

Hi all,
I have problem with negotiating IP address from PPPoE. There is following design: ISP providing vDSL ending on VDSL modem in bridge mode. Behind brigde modem is ASA 5505 terminting PPPoE on OUTSIDE. Everything works fine except negotiating IP address from PPPoE server.
I have configured ASA 5505 with (ASA Version 9.2(2)4) for PPPoE like this [1.]. But If i try to "show" IP address on OUTSIDE interface a get this [2.], ok strange but let's continue. If list "show vpdn pppinterface id 1" i get this [3.]. Seems that I got public IP addres what was right, but this IP address was not associated with interface OUTSIDE?
Well, if I set IP address manually like this [4.] and also set a default route everything works fine but what will happen when ISP change reservation for my IP address or default gateway.
I have tried different version of ASA OS like 8.4, 9.1 but without luck.
Can anybody help me. Thanks a lot.
Regards
Karel
[1.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address pppoe setroute
vpdn group O2 request dialout pppoe
vpdn group O2 localname O2
vpdn group O2 ppp authentication chap
vpdn username O2 password *****
interface Ethernet0/0
description >>uplink O2 vDSL<<
switchport access vlan 100
[2.]
ciscoasa(config-if)# show ip address vlan 100 pppoe
ciscoasa(config-if)# 0.0.0.0 255.255.255.255 on Interface: OUTSIDE
ciscoasa(config-if)# show interface vlan 100 detail
Interface Vlan2 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        Description: >>VLAN pro pripojeni do internetu<<
        MAC address f44e.05d0.6c17, MTU 1492
        IP address unassigned
Traffic Statistics for "OUTSIDE":
        28 packets input, 1307 bytes
        31 packets output, 721 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec, 3 bytes/sec
      1 minute output rate 0 pkts/sec, 1 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 0 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Control Point Interface States:
        Interface number is 15
        Interface config status is active
        Interface state is active
[3.]
ciscoasa(config-if)# show vpdn pppinterface id 1
PPP virtual interface id = 1
PPP authentication protocol is CHAP
Server ip address is 88.103.200.41
Our ip address is 85.71.188.158
Transmitted Pkts: 20, Received Pkts: 16, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
ciscoasa(config-if)# show vpdn session state
%No active L2TP tunnels
%No active PPTP tunnels
PPPoE Session Information (Total tunnels=1 sessions=1)
SessID TunID Intf     State       Last Chg
22298      2 OUTSIDE SESSION_UP 561 secs
[4.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address 85.71.188.158 255.255.255.255 pppoe setroute
route OUTSIDE 0.0.0.0 0.0.0.0 88.103.200.41 1

You're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK

ASA 5505 Problem ACL

Dear All,
I have a problem with the configuration of the ACL of my ASA 5505 router.
However, the syntax seems okay
access-list 121 extended deny icmp 192.168.0.0 255.255.255.0 any
Thanks for your help

Hi,
Its hard to say when I cant see your whole configuration.
Have you attached the ACL to an interface on the ASA?
access-group 102 in interface
Only then the ACL will have some effect on the traffic. Though remember to allow other traffic in the SAME ACL. Otherwise you will block all traffic from behind the interface to which you attach this ACL.
However this ACL wont block ICMP between the hosts on the same network naturally.
- Jouni

ASA boot problem

Hello,
I have problem with ASA 5505. One of our customers brought me ASA 5505 with deleted flash. They want me to fix the problem. I tried to load image from rommon mode, but failed many many times. I used 4 different software files. I tried many many times and most often I get :
Cisco Security Appliance admin loader (3.0) #0: Thu Aug 7 20:59:50 MDT 2008
sumval(0x12b7) chksum(0x0   )md5(0x42c85cfa 0xf6dcadb9 0x72f7072f 0xb799f56b)
md5(0xb28e4ed2 0x301e63f0 0xc2fe8317 0xd320bbe2)
Checksum verification on install image failed.
with asa722-k8.bin file.
In one ocasion, when I booted asa804-k8.bin, ASA attempted to boot but stucked immediately and became idle. Noting happened, I leave it 24 hours and noting happened.
Please if someone knows what to do, let me know !!!
Here is the detail output from ASA:
rommon #0>
rommon #0> ADDRESS=192.168.0.26
rommon #1> SERVER=192.168.0.212
rommon #2> IMAGE=asa804-k8.bin
rommon #3> PORT=Ethernet0/0
Ethernet0/0
MAC Address: 0025.840d.52d8
Link is UP
rommon #4> tftp
ROMMON Variable Settings:
ADDRESS=192.168.0.26
SERVER=192.168.0.212
GATEWAY=0.0.0.0
PORT=Ethernet0/0
VLAN=untagged
IMAGE=asa804-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20
tftp [email protected]
Received 14137344 bytes
Launching TFTP Image...
Cisco Security Appliance admin loader (3.0) #0: Thu Aug 7 20:59:50 MDT 2008
sumval(0x12b7) chksum(0x0   )md5(0x42c85cfa 0xf6dcadb9 0x72f7072f 0xb799f56b)
md5(0xb28e4ed2 0x301e63f0 0xc2fe8317 0xd320bbe2)
Checksum verification on install image failed.
Rebooting....
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
00 01 00   1022   2080 Host Bridge
00 01 02   1022   2082 Chipset En/Decrypt 11
00 0C 00   1148   4320 Ethernet           11
00 0D 00   177D   0003 Network En/Decrypt 10
00 0F 00   1022   2090 ISA Bridge
00 0F 02   1022   2092 IDE Controller
00 0F 03   1022   2093 Audio              10
00 0F 04   1022   2094 Serial Bus         9
00 0F 05   1022   2095 Serial Bus         9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image

HI,
I just reloaded a image to my asa 5505 and did the following.
Saved the image file : asa831-k8.bin and installed a tftp server app (pumpkin)
added the following :
rommon #0> ADDRESS=192.168.0.? (Where this is the address you want to give the asa)
rommon #1> SERVER=192.168.0.? (Where this is the address of the laptop you have pumpkin installed on
rommon #2> IMAGE=asa831-k8.bin
rommon #3> PORT=Ethernet0/1 (As I had the laptop connected to the ASA into this port)
press Enter, should display the following:
Ethernet0/1
MAC Address: 0025.840d.52d8
Link is UP
type :
rommon #4> tftp
when it finished doing its thing I then rebooted the ASA and it loaded the new image.

Cisco ASA 5505 - problem with ssh, icmp on OUTSIDE interface

Hi all,
I have a very strange problem with OUTSIDE interface and remote ssh. Well, I have followed documentation and configure remote access for ssh like this [1.]. If I want to connect from internet to OUTSIDE interface [2.] get no response and in log I can see this message [3.]. I really do not understand why is ssh connection dropped by OUTSIDE access-list [4.]? If I understand documentation correctly there is no impact for remote mangement/access like icmp, ssh, http(s) by interface access-list. So, why?
When I try ssh connection form internal network to INSIDE interface everything works fine and I can log in to ASA. If I try allow ssh in OUTSIDE access-list still no success and a get this message [5.]? It is strange, isn't?
The same problem with icmp if I want to "ping" OUTSIDE interface from internet a get thish message in log [6.] and configuration for ICMP like this [7.].
Full ASA config is in attachment.
Can anybody help how to fix it and explain what is exactly wrong.Thanks.
Regards,
Karel
[1.]
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
ASA-FW01# show ssh
Timeout: 60 minutes
Version allowed: 2
10.0.0.0 255.255.255.0 INSIDE
0.0.0.0 0.0.0.0 OUTSIDE
[2.]
ASA-FW01# show nameif
Interface Name Security
Vlan10 INSIDE 100
Vlan20 EXT-VLAN20 0
Vlan30 EXT-WIFI-VLAN30 10
Vlan100 OUTSIDE 0
ASA-FW01# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
ASA-FW01# show interface OUTSIDE detail
Interface Vlan100 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: >>VLAN pro pripojeni do internetu<<
MAC address f44e.05d0.6c17, MTU 1480
IP address 85.71.188.158, subnet mask 255.255.255.255
Traffic Statistics for "OUTSIDE":
90008 packets input, 10328084 bytes
60609 packets output, 13240078 bytes
1213 packets dropped
1 minute input rate 15 pkts/sec, 994 bytes/sec
[3.]
Jan 13 2015 06:45:30 ASA-FW01 : %ASA-6-106100: access-list OUTSIDE denied tcp OUTSIDE/193.86.236.70(46085) -> OUTSIDE/85.71.188.158(22) hit-cnt 1 first hit [0xb74026ad, 0x0]
[4.]
access-list OUTSIDE remark =======================================================================================
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended deny ip any any log
access-group OUTSIDE in interface OUTSIDE
[5.]
Jan 12 2015 23:00:46 ASA-FW01 : %ASA-2-106016: Deny IP spoof from (193.86.236.70) to 85.71.188.158 on interface OUTSIDE
[6.]
Jan 13 2015 06:51:16 ASA-FW01 : %ASA-4-400014: IDS:2004 ICMP echo request from 193.86.236.70 to 85.71.188.158 on interface OUTSIDE
[7.]
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 INSIDE
icmp permit 10.0.0.0 255.0.0.0 EXT-WIFI-VLAN30
icmp permit any OUTSIDE

You're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK

ASA Migration Problems

Similar Messages

Maybe you are looking for